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Abstract — Definitions  of  election  verifiability  in  the  compu¬ 
tational  model  of  cryptography  are  proposed.  The  definitions 
formalize  notions  of  voters  verifying  their  own  votes,  auditors 
verifying  the  tally  of  votes,  and  auditors  verifying  that  only 
eligible  voters  vote.  The  Helios  (Adida  et  al.,  2009)  and  JCJ 
(Juels  et  al.,  2010)  election  schemes  are  analyzed  using  these 
definitions.  Helios  4.0  satisfies  the  definitions,  but  Helios  2.0  does 
not  because  of  previously  known  attacks.  JCJ  does  not  satisfy 
the  definitions  because  of  a  trust  assumption  it  makes,  but  it 
does  satisfy  a  weakened  definition.  Two  previous  definitions  of 
verifiability  (Juels  et  al.,  2010;  Cortier  et  al.,  2014)  are  shown  to 
permit  election  schemes  vulnerable  to  attacks,  whereas  the  new 
definitions  prohibit  those  schemes. 


I.  Introduction 

Electronic  voting  systems  that  have  been  deployed  in  real- 
world,  large-scale  public  elections  place  extensive  trust  in 
software  and  hardware.  Unfortunately,  instead  of  being  trust¬ 
worthy,  many  systems  are  vulnerable  to  attacks  that  could 
bring  election  outcomes  into  disrepute  (T9),  1 45 1,  (56),  (84).  So 


relying  solely  on  tmst  in  voting  systems  is  unwise;  verification 
of  election  outcomes  is  essential]]] 

Election  verifiability  enables  voters  and  auditors  to  ascertain 
the  correctness  of  election  outcomes,  regardless  of  whether 
the  software  and  hardware  of  the  voting  system  are  trustwor¬ 
thy  (2),  (3),  (25),  [57),  (75).  Kremer  et  al.  [63j  decompose 
election  verifiability  into  three  aspects]^ 

•  Individual  verifiability:  voters  can  check  that  their  own 
ballots  are  recorded. 

•  Universal  verifiability:  anyone  can  check  that  the  tally  of 
recorded  ballots  is  computed  properly. 

•  Eligibility  verifiability:  anyone  can  check  that  each  tallied 
vote  was  cast  by  an  authorized  voter. 

We  propose  new  definitions  of  these  three  aspects  of  verifi¬ 
ability  in  the  computational  model  of  cryptography.  We  show 
that  individual  and  universal  verifiability  are  orthogonal,  and 
that  eligibility  verifiability  implies  individual  verifiability. 

Because  some  electronic  voting  systems  implement  voter 
authentication  themselves,  whereas  other  systems  outsource 


lDoveryai,  no  proveryai  (trust,  but  verify)  says  the  Russian  proverb. 

2This  decomposition  has  been  criticized  169);  we  refute  that  criticism  in 
Section  |VII| 


voter  authentication  to  third  parties,  we  develop  two  variants  of 
our  definitions — one  for  systems  with  internal  authentication 
and  another  for  systems  with  external  authentication.  We 
employ  our  definitions  to  analyze  the  verifiability  of  two  well- 
known  election  schemes,  JCJ  [59)  and  Helios  ©■  JCJ  is  an 
election  scheme  that  achieves  coercion  resistance  and  has  been 
implemented  as  Civitas  1 29 1 ;  it  implements  its  own  internal 
authentication.  Helios  is  a  web-based  voting  system  that  has 
been  deployed  in  the  real-world  and  outsources  authentication. 

The  Helios  2.0  election  scheme  is  known  to  have  vul¬ 
nerabilities  that  enable  attacks  on  verifiability,  and  several 
patches  for  those  vulnerabilities  have  been  proposed  (T7),  (ig, 
||33j,  (34).  By  employing  those  proposed  patches,  we  obtain 
a  scheme  called  Helios  4.0  that  satisfies  our  definition  of 
election  verifiability  with  external  authentication.  Helios  2.0, 
as  expected,  fails  to  satisfy  our  definition. 

The  JCJ  election  scheme  does  not  satisfy  our  definition 
of  eligibility  verifiability,  because  an  adversary  who  learns 
the  tallier’s  private  key  could  cast  unauthorized  votes.  We 
introduce  a  weakened  definition  of  eligibility  verifiability, 
incorporating  JCJ’s  trust  assumption  that  the  private  key  is 
unknown  to  the  adversary,  and  show  that  JCJ  satisfies  our 
weakened  definition  of  election  verifiability  with  internal  au¬ 
thentication. 

Our  definitions  of  election  verifiability  improve  upon  two 
previous  definitions  (32),  (59)  by  detecting  a  new  class  of 
collusion  attacks ,  in  which  the  tallying  algorithm  announces 
an  incorrect  tally,  and  the  verification  algorithm  colludes  with 
the  tallying  algorithm  to  accept  the  incorrect  tally.  Examples 
of  collusion  attacks  include  vote  stuffing,  and  announcing 
tallies  that  are  independent  of  the  election.  Our  definitions 
also  improve  upon  those  previous  definitions  by  detecting 
a  new  class  of  biasing  attacks ,  in  which  the  verification 
algorithm  rejects  some  legitimate  election  outcomes.  Examples 
of  biasing  attacks  include  rejecting  outcomes  in  which  a 
particular  candidate  does  not  win,  and  rejecting  all  election 
outcomes,  even  correct  outcomes. 

This  paper  thus  contributes  to  the  security  of  electronic 
voting  systems  by 

•  proposing  computational  definitions  of  election  verifiabil- 
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ity, 

•  showing  that  individual,  universal,  and  eligibility  verifia¬ 
bility  are  mostly  orthogonal  properties  of  voting  systems, 

•  proving  that  well-known  election  schemes  do  (or  do  not) 
satisfy  election  verifiability,  and 

•  identifying  collusion  and  biasing  attacks  as  new  classes 
of  attacks  on  voting  systems  and  demonstrating  that  they 
are  not  detected  by  two  earlier  definitions. 


Ours  are  the  first  proofs  that  Helios  4.0  and  JCJ  satisfy  a 
computational  definition  of  verifiability. 

Structure:  Section  [II]  defines  election  verifiability  with  ex¬ 


ternal  authentication.  Section  III  analyzes  Helios.  Section  IV 


defines  election  verifiability  with  internal  authentication.  Sec¬ 
tion  [V]  analyzes  JCJ.  Section  VI  introduces  collusion  and  bias¬ 


ing  attacks.  Section|VII|reviews  related  work,  and  Section|yiH 
concludes. 


board  BB,  which  we  model  as  a  setj^j  Tally  takes  as 
input  the  public  key  PK- j  and  private  key  SKj-  of  the 
tallier,  the  bulletin  board  BB,  the  number  of  candidates 
nc,  and  security  parameter  k.  It  outputs  a  tally  X  and  a 
non-interactive  proof  P  that  the  tally  is  correct.  A  tally 
is  a  vector  X  of  length  nc  such  that  X[j]  indicates  the 
number  of  votes  for  candidate  Cj  Q 
•  Verify,  denoted  v  <—  Verify(PA^7-,  BB,  nc,  X,  P,  k),  can 
be  executed  by  anyone  to  audit  the  election.  Verify  takes 
as  input  the  public  key  PK 7-  of  the  tallier,  the  bulletin 
board  BB,  the  number  of  candidates  nc,  a  tally  X,  a 
proof  P  of  correct  tallying,  and  security  parameter  k.  It 
outputs  a  bit  v,  which  is  1  if  the  tally  successfully  verifies 
and  0  otherwise.  We  assume  that  Verify  is  deterministic. 
Election  schemes  must  satisfy  Correctness,  which  asserts 
that  tallies  produced  by  Tally  corresponds  to  the  choices  input 
to  Vote: 


II.  External  Authentication 

Some  election  schemes  do  not  implement  authentication 
themselves,  but  instead  rely  on  an  external  authentication 
mechanism.  Helios,  for  example,  supports  authentication  with 
Facebook,  Google  and  Yahoo  credentials]^]  In  essence,  the 
election  scheme  outsources  ballot  authentication.  We  begin  by 
defining  election  verifiability  for  that  model. 

A.  Election  scheme 

An  election  scheme  with  external  authentication ,  which 
henceforth  in  this  section  we  abbreviate  as  “election  scheme,” 
is  a  tuple  (Setup,  Vote,  Tally,  Verify)  of  probabilistic  polyno¬ 
mial-time  (PPT)  algorithms: 

•  Setup,  denotecj^]  (PKp,  SK'f,  ms,  me)  <r-  Setup(fc),  is 
executed  by  the  tallier,  who  is  responsible  for  tallying 
ballots]^] Setup  takes  a  security  parameter  k  as  input  and 
outputs  a  key  pair  (PK 7-,  SK 7-),  a  maximum  number  of 
ballots  ms,  and  a  maximum  number  of  candidates  me- 

•  Vote,  denoted  b  •<—  Vote(PAT 7-,  nc,  ft  k),  is  executed 
by  voters.  A  voter  makes  a  choice  of  candidate  from 
a  sequence  Ci,...,c„c  of  candidates.  A  well-formed 
choice  is  an  integer  ft  such  that  1  <  (3  <  nc-  Vote  takes 
as  input  the  public  key  PK 7-  of  the  tallier,  the  number 
nc  of  candidates,  the  voter’s  choice  (3  of  candidate,  and 
security  parameter  k.  It  outputs  a  ballot  b,  or  error  symbol 
_L.  An  error  might  occur  if  the  candidate  choice  is  not 
well-formed  or  for  other  reasons  particular  to  the  election 
scheme. 

.  Tally,  denoted  (X,  P)  <-  Tally(PXr,  SKr,  BB,  nc,  k), 
is  executed  by  the  tallier.  It  involves  a  public  bulletin 

'https://github.com/benadida/helios-server/tree/master/helios_auth/auth_ 
systems  accessed  4  Aug  2015. 

4Let  Alg(m;  r)  denote  the  output  of  probabilistic  algorithm  Alg  on  input 
in  and  random  coins  r.  Let  Alg(m)  denote  Alg(m;r),  where  r  is  chosen 
uniformly  at  random.  And  let  «—  denote  assignment. 

5  Some  election  schemes  (e.g.,  Helios  and  JCJ)  permit  the  tallier’s  role  to  be 
distributed  amongst  several  talliers.  For  simplicity,  we  consider  only  a  single 
tallier  in  this  paper. 


Definition  1  (Correctness).  There  exists  a  negligible  function 
fi,  such  that  for  all  security  parameters  k,  integers  n b  and 
nc,  and  choices  /?i,...,/3ns  G  {1  ,...,nc}>  it  holds  that 
if  Y  is  a  vector  of  length  nc  whose  components  are  all  0,  then 

Pr[(PKp,  SKp,  tub ,  me)  Setup(/c); 

for  1  <  i  <  ns  do 

h  <r-  Vot e(PKr,  nc,  ft,  k); 

_  Y  [ft]  «-  Y[ft]  +  1; 

BB  •<—  {ft, . . . ,  bnB  }; 

(X,  P )  <-  Tally(PXr,  SKr,  BB,  nc,  k)  : 

r ib  <  ms  A  nc  <  me  =>  X  =  Y]  >  1  —  p{k). 

Note  that  Correctness  does  not  involve  an  adversary.  Correct¬ 
ness  therefore  stipulates  that,  under  ideal  conditions,  an  elec¬ 
tion  scheme  does  indeed  produce  the  correct  tally.  Correctness 
is  not  actually  necessary  to  achieve  verifiability:  our  definition 
of  universal  verifiability  will  ensure  that,  in  the  presence  of 
an  adversary.  Verify  detects  any  errors  in  the  tally.  But  it  is 
reasonable  to  rule  out  election  schemes  that  simply  do  not 
work  properly  under  ideal  conditions. 

Election  schemes  must  also  satisfy  Completeness,  which 
stipulates  that  tallies  produced  by  Tally  will  actually  be 
accepted  by  Verify: 

Definition  2  (Completeness).  There  exists  a  negligible  func¬ 
tion  p,  such  that  for  all  security  parameters  k,  bulletin  boards 
BB,  and  integers  nc,  it  holds  that 

Pt[(PKp,  SKp,  tub,  me)  Setup  (A;); 

(X,  P)  <-  Tally(PXr,  SKr,  BB,  nc,  k)  : 

\BB\  <  ms  A  nc  <  me  => 

Verify(PJf7-,  BB,  nc,  X,  P,  k)  =  1]  >  1  —  p(k). 

'’Bulletin  boards  have  also  been  modeled  as  public  broadcast  channels  J351, 
|76|,  |78|.  We  abstract  from  the  details  of  channels  by  employing  sets  to 
represent  the  data  sent  on  them.  We  favor  sets  over  multisets,  because  Cortier 
and  Smyth  (33),  |34)  demonstrate  attacks  against  privacy  when  the  bulletin 
board  is  modeled  as  a  multiset. 

7  Let  X[i]  denote  component  i  of  vector  X. 
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Without  Completeness,  election  schemes  might  be  vulnerable 


to  biasing  attacks,  as  we  show  in  Section  VI-B 


Finally,  election  schemes  must  satisfy  Injectivity,  which 
asserts  that  a  ballot  cannot  be  interpreted  as  a  vote  for  more 
than  one  candidate: 


and  k  denotes  a  security  parameter,  therefore  challenges  A  to 
generate  a  scenario  in  which  the  voter  cannot  uniquely  identify 
their  ballot.  In  essence,  Exp-IV-Ext  challenges  A  to  generate 
a  collision  from  Vote0  If  A  cannot  win,  then  voters  can 
uniquely  identify  their  ballots  on  the  bulletin  board: 


Definition  3  (Injectivity).  For  all  security  parameters  k,  public 
keys  PKp,  integers  nc,  and  choices  /3  and  fi' ,  such  that  p  7^ 
P' ,  we  have 


Pr[6  \Zote(PKj-,  nc,  P,  k); 
b’ t—  Vote  (PAT 7-,  nc,  P’ ,  k)  : 
b  £  A  A  &V  1  =>  b  ^  b']  =  1. 


Injectivity  ensures  that  distinct  choices  are  not  mapped  by 
Vote  to  the  same  ballot.  Without  Injectivity,  an  election 
scheme  might  produce  ballots  whose  meaning  is  ambiguous. 
For  example,  if  Vote (PP 7-, roc, P,k;r)  were  defined  to  be 
P  +  r,  then  a  ballot  b  could  be  tallied  as  any  well-formed 
choice  p'  such  that  /?'  =  b  —  r'  for  some  r' .  But  that  definition 
of  Vote  is  prohibited  by  Injectivity.  Thus,  Injectivity  helps 
to  ensure  that  the  choices  used  to  construct  ballots  can  be 
uniquely  tallied. 

Limitations:  Our  model  of  election  schemes  is  sufficient 
to  analyze  Helios  and,  after  we  extend  the  model  to  handle 
internal  authentication  in  Section |IV-A|  JCJ.  These  are  notable 
schemes,  and  formally  analyzing  their  verifiability  is  a  novel 
contribution.  But  there  are  other  notable  schemes  that  fall 
outside  our  model: 


•  Pret  a  Voter  [25],  MarkPledge  [73 1,  Scantegrity  II 
and  Remotegrity  [  85 jj  all  rely  on  features  implemented 
with  paper,  such  as  scratch-off  surfaces  and  detachable 
columns. 

•  Everlasting  privacy  [72),  which  requires  Vote  to  output 
a  public  ballot  and  a  secret  proof,  involving  temporal 
information,  to  the  voter. 

•  Scytl’s  Pnyx.core  ODBP  1.0  [28),  which  requires  the 
bulletin  board  to  be  divided  into  two  parts:  a  public  part 
visible  to  all  participants,  and  a  secret  part  visible  only 
to  election  administrators. 

We  leave  extension  of  our  model  to  other  election  schemes  as 
future  work. 


B.  Election  verifiability 

Election  verifiability  comprises  three  aspects:  individual, 
universal,  and  eligibility  verifiability.  We  express  each  as  an 
experiment,  which  is  an  algorithm  that  outputs  0  or  1.  The 
adversary  wins  an  experiment  by  causing  it  to  output  1. 

1 )  Individual  verifiability:  In  our  model  of  election 
schemes,  all  recorded  ballots  are  posted  on  the  bulletin  board. 
So  for  a  voter  to  verify  that  their  ballot  has  been  recorded,  it 
suffices  to  enable  them  to  uniquely  identify  their  ballot  on  the 
bulletin  hoard  0 

Individual  verifiability  experiment  Exp-IV-Ext(n,  A,  k), 
where  n  denotes  an  election  scheme,  A  denotes  the  adversary. 


8  Section 


VIII 


addresses  the  complementary  issue  of  whether  a  recorded 


ballot  corresponds  to  the  candidate  choice  a  voter  intended  to  make. 


Exp-IV-Ext(n,  A,  k)  = 

1  {PKr,tic,P,P')  <r-  A(k); 

2  b  «—  \/ote(PK-p,  nc,  P,  k)\ 

3  b'  <—  Vote (PiT 7-,  nc,  P' ,  k); 

4  if  b  =  b'  A  6  7^  _L  A  (/  /  _L  then 
s  |  return  1 

6  else 

7  |_  return  0 

Line  1  asks  A  to  compute  two  candidate  choices  3  and  3' , 
such  that  ballots  b  and  b'  for  those  choices,  as  computed  by 
Vote  in  lines  2  and  3,  are  equal.  Individual  verifiability  thus 
resembles  Injectivity,  but  individual  verifiability  allows  choices 
to  be  equal  and  allows  A  to  choose  election  parameters. 

One  way  to  achieve  individual  verifiability  is  to  base  the 
election  scheme  on  a  probabilistic  encryption  scheme,  such  as 
El  Gamal  ED-  Intuitively,  if  Vote  encrypts  the  choice  using 
random  coins,  then  it  is  overwhelmingly  unlikely  that  two 
votes  will  result  in  the  same  ballot.  Our  proofs  that  Helios 
and  ICJ  satisfy  individual  verifiability  are  based  on  this  idea. 

Clash  attacks:  In  a  clash  attack  ED-  the  adversary 
convinces  some  voters  that  a  single  ballot  belongs  to  them 
all.  Some  clash  attacks  are  possible  because  of  vulnerabilities 
in  the  design  of  Vote.  For  example,  if  Vote  simply  outputs 
candidate  choice  p,  then  a  voter  has  no  way  to  distinguish 
their  vote  for  P  from  another  voter’s  vote  for  p.  Exp-IV-Ext 
detects  clash  attacks  resulting  from  vulnerabilities  in  Vote. 

Some  clash  attacks,  however,  are  possible  because  the 
adversary  subverts  the  implementation  of  Vote.  For  example, 
the  adversary  might  replace  some  hardware  or  software,  or 
compromise  the  random  number  generator.  If  any  one  of 
these  aspects  is  compromised,  then  Vote  has  effectively  been 
changed  to  a  different  algorithm  Vote7.  The  conclusions  drawn 
by  a  security  analyst  who  uses  our  definition  of  individual  ver¬ 
ifiability  to  analyze  Vote  would  not  necessarily  be  applicable 
to  Vote'. 

In  short,  a  voter  can  verify  that  their  ballot  has  been  recorded 
if  and  only  if  they  run  the  correct  Vote  algorithm.  We  make 
no  guarantees  to  voters  that  do  not  run  the  correct  Vote 
algorithm.  One  way  to  make  stronger  guarantees  is  to  use  cut- 
and-choose  protocols  to  audit  ballots  ED-  CD-  This  would 
require  modeling  voting  as  an  interactive  protocol  with  the 
adversary,  rather  than  as  an  algorithm.  We  leave  this  extension 
as  future  work. 

2)  Universal  verifiability:  For  an  election  to  be  universally 
verifiable,  anyone  must  be  able  to  check  that  a  tally  is  correct 
with  respect  to  recorded  ballots — that  is,  the  tally  represents 

9 Exp-IV-Ext  can  be  equivalently  formulated  as  an  experiment  that  chal¬ 
lenges  A  to  predict  the  output  of  Vote.  See  the  companion  technical  report  Q) 
for  details. 
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the  choices  used  to  construct  the  recorded  ballots.  Because 
anyone  can  execute  Verify,  it  suffices  that  Verify  accepts  only 
when  that  property  holds. 

Universal  verifiability  experiment  Exp-UV-Ext(II,  A,  k) 
therefore  challenges  adversary  A  to  concoct  a  scenario  in 
which  Verify  incorrectly  accepts: 

Exp-UV-Ext(II,  A,  k)  = 
t  (PKt,  BB,  nc,  X,  P)  -t—  A(k)\ 

2  Y  •<—  correct-tally {PKp,BB,nc,k)\ 

3  if  X  yf  Y  A  Verify (PKT,  BB,  nc,  X,  P,  k )  =  1  then 

4  |  return  1 
s  else 

6  return  0 

In  line  1,  A  is  challenged  to  create  a  bulletin  board  BB  and 
purported  tally  X  of  that  bulletin  board.  Line  2  constructs 
the  correct  tally  Y  of  BB,  and  line  3  checks  whether  Verify 
accepts  an  incorrect  tally.  If  A  cannot  win  Exp-UV-Ext,  then 
Verify  will  not  accept  incorrect  tallies.  In  particular,  no  ballots 
can  be  omitted  from  the  tally,  and  at  most  one  candidate  choice 
can  be  included  in  the  tally  for  each  ballot. 

Let  function  correct-tally  be  defined  such  that  for  all  PKp, 
BB,  nc,  k,  £,  and  /?  e  {1, . . . ,  nc}, 

correct-tally (PK j- ,  BB,  nc,  k)[/3\  =  £ 

3=eb  G  {BB\{±})  : 

3r  :  b  =  \/ote(PKT,  nc,  fi,  fc;  r). 

The  vector  produced  by  correct-tally  must  be  of  length 
nc-  Component  /3  of  vector  correct-tally(PKp,  BB,nc,k) 
equals  £  iff  there  exisj^]  £  ballots  on  the  bulletin  board 
that  are  votes  for  candidate  (3.  It  follows  that  the  output 
of  correct-tally  represents  the  choices  used  to  construct  the 
recorded  ballots.  Note  that,  without  Injectivity,  the  existential 
quantification  in  correct-tally  could  permit  a  ballot  to  be 
tallied  for  more  than  one  candidate.  Of  course,  correct-tally 
cannot  be  computed  by  a  PPT  algorithm  for  typical  crypto¬ 
graphic  election  schemes.  But  that  does  not  matter,  because 
correct-tally  is  never  actually  computed  as  part  of  an  election 
scheme — its  use  is  solely  in  the  definition  of  Exp-UV-Extp] 

Security  analysts  must  convince  themselves  that 
correct-tally  is  indeed  correct.  Because  of  the  function’s 
simplicity,  this  should  be  relatively  straightforward.  By 
comparison.  Tally  algorithms  for  real  voting  schemes  tend 
to  be  complicated.  For  example,  compare  the  complexity  of 
correct-tally  to  Helios’s  Tally  algorithm,  which  appears  in 
the  companion  technical  report  (T). 

By  design,  Exp-UV-Ext  assumes  that  the  ballots  on  bulletin 
board  BB  are  exactly  the  ballots  that  should  be  tallied. 
The  external  authentication  mechanism  is  assumed  to  prohibit 

10The  definition  of  correct-tally  employs  a  counting  quantifier  \l9\ 
denoted  3=.  Predicate  (B~^x  :  P(x) )  holds  exactly  when  there  are  £  distinct 
values  for  x  such  that  P(x)  is  satisfied.  Variable  x  is  bound  by  the  quantifier, 
whereas  £  is  free. 

1 1  Kiayias  et  al.  [bTj  use  a  similar  super-polynomial  vote  extractor  to  recover 
choices  from  ballots  in  an  experiment  defining  verifiability. 


unauthorized  ballots  from  being  posted  on  BB.  Helios  makes 
such  an  assumption  about  its  external  authentication  mecha¬ 
nism. 

3)  Eligibility  verifiability:  For  an  election  to  satisfy  eligi¬ 
bility  verifiability,  anyone  must  be  able  to  check  that  every 
tallied  vote  was  cast  by  an  authorized  voter — that  is,  it  must 
be  possible  to  authenticate  ballots.  In  election  schemes  with 
external  authentication,  a  trusted  third  party  authenticates 
ballots.  That  third  party  might  convince  itself  that  all  tallied 
ballots  have  been  authenticated,  but  it  cannot  convince  all  other 
parties.  Eligibility  verifiability,  therefore,  is  not  achievable  in 
election  schemes  with  external  authentication. 

4)  Election  verifiability:  With  Exp-IV-Ext  and 

Exp-UV-Ext,  we  define  election  verifiability  with  external 
authentication.  Let  a  PPT  adversary’s  success  Succ(Exp(-)) 
in  an  experiment  Exp(-)  be  the  probability  that  the  adversary 
wins — that  is,  Succ(Exp(-))  =  Pr[Exp(-)  =  1], 

Definition  4  (Ver-Ext).  An  election  scheme  n  satisfies  elec¬ 
tion  verifiability  with  external  authentication  (Ver-Ext)  if  for 
all  PPT  adversaries  A,  there  exists  a  negligible  function 
p,,  such  that  for  all  security  parameters  k,  it  holds  that 
Succ(Exp-IV-Ext(n,  A,  k))  +  Succ(Exp-UV-Ext(n,  A,  k))  < 
p(k). 

An  election  scheme  satisfies  individual  verifiability  if 
Succ(Exp-IV-Ext(n,  A,  k))  <  p(k),  and  similarly  for  univer¬ 
sal  verifiability. 

C.  Example — Toy  scheme  from  nonces 

A  toy  election  scheme  satisfying  Ver-Ext  can  be  based  on 
nonces.  Each  voter  publishes  a  nonce  paired  with  her  choice 
of  candidate  to  the  bulletin  board.  This  scheme  illustrates  the 
essence  of  election  verifiability,  even  though  it  does  not  offer 
any  privacy. 

Definition  5.  Election  scheme  Nonce  is  defined  as  follows: 

•  Setup(fc)  outputs  (_L,  -L,pi(k),p2(k)),  where  pi  and  p2 
may  be  any  polynomial  functions. 

•  \Zote(PKp,nc,  /3,k)  selects  a  nonce  r  uniformly  at 
random  from  Z2k  and  outputs  (r,  j3). 

•  Ta\\y{PK'f,  SKp,  BB,nc,k)  computes  a  vector  X  of 
length  nc,  such  that  X  is  a  tally  of  the  votes  on  BB  for 
which  the  nonce  is  in  Z 2k,  and  outputs  (X,_L). 

•  \Zerify(PKp,  BB,nc,X,P,k)  outputs  1  if  (X,  P)  = 
Tally(_L,  _L,  BB,  nc,  k)  and  0  otherwise. 

Proposition  1.  Nonce  satisfies  Ver-Ext. 

Proof  sketch.  Nonce  satisfies  individual  verifiability,  because 
voters  can  use  their  nonce  to  check  that  their  own  ballot 
appears  on  the  bulletin  board.  With  overwhelming  probability. 
Vote  will  select  unique  nonces  for  each  voter,  hence  generate 
distinct  ballots.  Nonce  also  satisfies  universal  verifiability, 
because  plaintext  candidate  choices  are  posted  on  the  bulletin 
board.  □ 
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D.  Orthogonality 

Exp-IV-Ext  and  Exp-UV-Ext  capture  orthogonal  security 
properties.  A  scheme  that  satisfies  individual  verifiability  but 
violates  universal  verifiability  can  be  constructed  from  Nonce 
by  modifying  Verify  to  always  output  1.  Voters  can  still  check 
that  their  own  ballot  appears.  But  an  adversary  can  easily  win 
Exp-UV-Ext,  because  Verify  will  accept  any  tally.  A  scheme 
that  satisfies  universal  verifiability  but  violates  individual 
verifiability  can  be  constructed  from  Nonce  by  removing  the 
nonces,  leaving  just  the  voter’s  choice  in  the  ballots.  Call 
that  scheme  Choice.  Anyone  can  still  verify  the  tally  of  the 
election,  but  an  adversary  can  easily  win  Exp-IV-Ext,  because 
two  votes  for  the  same  candidate  will  collide. 

III.  Case  Study:  Helios 


in  zero  knowledge  that  decryption  was  performed  cor¬ 
rectly.  Finally,  the  tallier  publishes  the  winning  candidate 
and  proof  of  correct  decryption. 

•  Verification.  A  verifier  recomputes  the  homomorphic 
combination  and  checks  all  the  zero-knowledge  proofs. 

We  give  a  formal  description  of  Helios  4.0  in  the  companion 
technical  report  [1|{^] Using  that  formalization,  we  can  prove 
that  Helios  4.0  is  verifiable: 

Theorem  2.  Helios  4.0  satisfies  Ver-Ext. 

Proof  sketch.  Helios  4.0  satisfies  individual  verifiability,  be¬ 
cause  the  probabilistic  encryption  scheme  ensures  that  ballots 
are  unique,  with  overwhelming  probability.  And  Helios  4.0 
satisfies  universal  verifiability,  because  the  zero-knowledge 
proofs  can  be  publicly  verified.  □ 


Helios  is  an  open-source,  web-based  electronic  voting  sys- 
temp] Helios  has  been  deployed  in  the  real-world:  the  Interna¬ 
tional  Association  of  Cryptologic  Research  (IACR)  has  used 
Helios  annually  since  2010  to  elect  board  members  1 14 1,  ED’ 
[53).  the  Catholic  University  of  Louvain  used  Helios  to  elect 
the  university  president  (6),  and  Princeton  University  has  used 
Helios  to  elect  several  student  governments  @, 

Attacks  have  been  discovered  against  the  original  Helios 
scheme,  and  defenses  against  those  attacks  have  been  pro¬ 
posed  (17).  (18).  (33),  (34).  For  clarity,  we  write  Helios  2.0 
to  refer  to  the  Helios  scheme  as  originally  proposed  (6)  and 
Helios  4.0  to  refer  to  a  version  of  Helios  that  incorporates 
the  defenses^  When  referring  in  general  to  both  of  these 
schemes,  we  simply  write  Helios. 

To  achieve  verifiability  while  maintaining  ballot  se¬ 
crecy  Q5),  og,  Helios  homomorphic  ally  encrypts  candidate 
choices.  During  tallying,  all  encrypted  choices  are  homomor- 
phically  combi nci| 14 1  into  a  single  ciphertext,  which  is  then 
decrypted  to  reveal  the  tally.  Informally,  Helios  works  as 
follows: 


•  Setup.  The  tallier  generates  a  key  pair  for  a  homomorphic 
encryption  scheme  and  publishes  the  public  key. 

•  Voting.  A  voter  encrypts  her  candidate  choice  with  the 
tallier’s  public  key,  and  she  proves  in  zero  knowledge  that 
the  ciphertext  contains  a  well-formed  choice.  The  voter 
posts  her  ballot  (i.e.,  ciphertext  and  proof)  on  the  bulletin 
board.  During  posting,  the  bulletin  board  is  assumed  to 
correctly  authenticate  voters. 

•  Tallying.  The  tallier  discards  any  ballots  from  the  bulletin 
board  for  which  proofs  do  not  hold.  The  tallier  homomor- 
phically  combines  the  ciphertexts  in  the  remaining  bal¬ 
lots,  decrypts  the  homomorphic  combination,  and  proves 


https://vote.heliosvoting.org/ 

13Our  analysis  of  Helios  4.0  is  based  on  the  specification  1 5  ]  for  the  next 
release.  This  specification  incorporates  proposals  by  Cortier  and  Smyth  (34) 
for  non-malleable  ballots  and  by  Bernhard  et  al.  |18|  to  replace  the  weak 
Fiat-Shamir  transformation  with  the  strong  Fiat-Shamir  transformation. 

14The  homomorphic  combination  of  ciphertexts  is  straightforward  for  two- 
candidate  elections  G3.  G3>  0.  S  (ZD  since  choices  (e.g.,  “yes” 
or  “no”)  can  be  encoded  as  1  or  0.  Multi-candidate  elections  are  also 
possible  fig,  a,  a- 


A  formal  proof  of  Theorem  [2]  appears  in  the  companion 
technical  report  0-  The  proof  assumes  the  random  oracle 
model  (9). 

We  would  not  expect  Ver-Ext  to  hold  for  Helios  2.0,  because 
of  known  attacks  00-  Accordingly,  we  prove  that  Helios  2.0 
does  not  satisfy  Ver-Ext  in  the  companion  technical  report  [1 1. 


IV.  Internal  Authentication 
Some  election  schemes  implement  their  own  authentication 


mechanisms.  JCJ  |57)-|59||  and  Civitas  J29J,  for  example, 
authenticate  ballots  based  on  credentials  issued  to  voters  by 
a  registration  authority.  Schemes  with  this  kind  of  internal 
authentication  enable  verification  of  whether  tallied  ballots 
were  cast  by  authorized  voters. 


A.  Election  scheme 


A  registrar  is  responsible  for  issuing  authentication  creden¬ 
tials  to  voters Each  voter  is  associated  with  a  credential  pair 
(pk,  sk).  The  voter  uses  private  credential  sk  to  construct 
a  ballot.  Public  credential  pk  is  used  during  tallying  and 
verification.  Let  L  denote  the  electoral  roll ,  which  is  the  set 
of  all  public  credentials. 

An  election  scheme  with  internal  authentication ,  which 
henceforth  in  this  section  we  abbreviate  as  “election  scheme,” 
is  a  tuple  (Setup,  Register,  Vote,  Tally,  Verify)  of  PPT  algo¬ 
rithms.  The  algorithms  are  now  denoted  as  follows: 

•  (PK 7-,  SKj-,  ms,  me)  <—  Setup(fc) 

•  (pk,sk)  <r-  Register  (PK-/-,  k) 

•  b  -S—  Vote(sfc,  PK-r,nc,  /3,k) 

.  (X,  P )  <-  Tally (PKr,  SKTl  BB,  L,  nc,  k) 

•  v  <—  \/er\fy(PK']-,  BB,  L,  nc,  X,  P,  k) 


Setup  is  unchanged  from  election  schemes  with  external 
authentication  (cf.  jjll-A  1.  The  only  change  to  Vote  is  that  it 
now  accepts  private  credential  sk  as  input.  Similarly,  the  only 
change  to  Tally  and  Verify  is  that  they  now  accept  electoral 


15  Our  formalization  is  the  first  cryptographic  description  of  Helios  4.0, 
hence  an  additional  contribution  of  this  work. 

16Some  election  schemes  (e.g.,  JCJ)  permit  the  registrar’s  role  to  be 
distributed  among  several  registrars.  For  simplicity,  we  consider  only  a  single 
registrar  in  this  paper. 
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roll  L  as  input.  Register  is  executed  by  the  registrar.  It  takes  as 
input  the  public  key  PKj-  of  the  tallier  and  security  parameter 
k,  and  it  outputs  a  credential  pair  ( pk,sk ).  After  all  voters 
have  been  registered,  the  registrar  certifies  the  electoral  roll, 
perhaps  by  digitally  signing  and  publishing  itp] 

Election  schemes  must  continue  to  satisfy  Correctness, 
Completeness,  and  Injectivity,  which  we  update  to  include 
private  credentials  and  the  electoral  roll: 

Definition  6  (Correctness).  There  exists  a  negligible  function 
p,  such  that  for  all  security  parameters  k,  integers  ns  and 
nc,  and  choices  Pi, . . . ,  /3nB  €  {1, . . . ,  tie},  it  holds  that 
ifY  is  a  vector  of  length  nc  whose  components  are  all  0,  then 

Pr[(PKp,  SKp,  ms,  me)  A-  Setup(fc); 
for  1  <  i  <  ub  do 

(phi,  ski)  <-  Register  (PKp,k)-, 
h  <-  Vot e(ski,  PKr,  nc,  Pi,  k)\ 

_  Y[Pi\  <-  Y  [fii\  +  1; 

L<r-  {pk1,...,pknB}\ 

BB  -c-  {hi, . . . ,  bnB}\ 

(X,  P)  <-  Tally (PKr,  SKr,  BB,  L,  nc,  k)  : 
ub  <  vris  A  nc  <  me  =>  X  =  Y]  >  1  —  p(k). 


Definition  7  (Completeness).  There  exists  a  negligible  func¬ 
tion  p,  such  that  for  all  security  parameters  k,  bulletin  boards 
BB,  and  integers  nc  and  ny,  it  holds  that 

Pr[(PKj-,  SKp,  ms,  me)  ■<—  Setup(fc); 

for  1  <  i  <  ny  do  (pkt,  ski)  A-  Register(PJf7-,  k); 

L<~  {pki,...,pknv}\ 

(X,  P)  <-  Tally(PXr,  SICT,  BB,  L,  nc,  k)  : 

\BB\  <  ms  A  nc  <  me  => 

Verify(Pifr,  BB,  L,  nc,  X,  P,  k)  =  1]  >  1  -  p{k). 

Definition  8  (Injectivity).  For  all  security  parameters  k,  public 
keys  PKp,  integers  nc,  and  choices  f3  and  ft' ,  such  that  p 
f}',  we  have 

Pr[(pfc,  sk)  <r-  Register  (PK-j-jk)', 

( pk',sk' )  <r-  Register (PEp,  fc); 
b  <r-  Vot e(sk,  PKp,  nc,  P,  k); 
b'  <—  Vot e(sk' ,  PKp,  nc,  P' ,  k)  : 
b  f,  J_  A  b'  ±  L  =>•  b  ±  b']  =  1. 

B.  Election  verifiability 

Recall  (from  §II-B|i  that  election  verifiability  is  expressed 
with  experiments,  and  that  an  adversary  wins  by  causing  an 
experiment  to  output  1.  We  henceforth  assume  that  the  adver¬ 
sary  is  stateful — that  is,  information  persists  across  invocations 
of  the  adversary  in  a  single  experiment.  Our  experiments  in 

17It  might  seem  surprising  that  Register  does  not  require  the  registrar  to 
provide  any  private  keys  as  input.  But  in  constructions  of  election  schemes 
with  internal  authentication,  e.g.,  )29|,  |59|,  the  registrar  does  not  sign 
credential  pairs  with  its  own  private  key.  Rather,  the  registrar  signs  the 
electoral  roll. 


Section  [II]  did  not  need  this  assumption,  because  they  never 
invoked  the  adversary  more  than  once. 

In  our  experiments,  below,  we  model  an  adversary  who 
cannot  corrupt  the  registration  process  that  issues  credentials 
to  votersF^I  Hence  our  definitions  will  not  detect  attacks 
against  verifiability  that  result  solely  from  weaknesses  in  the 
registration  process.  Secure  construction  of  electoral  rolls  is 
not  a  topic  that  electronic  voting  usually  addresses — though  it 
seems  an  important  part  of  any  real-world  deployment. 

1)  Individual  verifiability:  The  individual  verifiability  ex¬ 
periment  again  challenges  adversary  A  to  generate  a  scenario 
in  which  the  voter  could  not  uniquely  identify  their  ballotf^] 


Exp-IV-lnt(n,  A,  k)  = 

t  (PKr,ny)  <r-  A(k)\ 

2  for  1  <  i  <  ny  do  (phi,  ski)  <—  Reg\ster(PKp,  k) 

3  Li-  {pk11...,pknv}-, 

4  Crpt  •(—  0; 

s  (nc,P,P',i,j)  <-  AC(L)\ 

6  b  -1—  Vote(sfci,  PKp,  nc,  P,  k)\ 

7  b'  i —  Vote(sfcj,  PKp,  nc,  P' ,  fc); 

8  if 

6  =  b1  Ab  J_A  b'  _L  A i  j  A  ski  &  Crpt  A  skj  £  Crpt 

then 

9  |  return  1 
to  else 

it  return  0 


The  main  differences  from  the  corresponding  experiment  for 
external  authentication  ({ II-B  1[>  are  that  voters  are  registered  in 
line  2,  and  that  A  is  given  access  to  an  oracle  C  in  line  5.  The 
oracle  is  used  to  model  A  corrupting  voters  and  learning  their 
private  credentials:  on  invocation  C(£),  where  1  <  I  <  ny, 
the  oracle  records  that  voter  i  is  corrupted  by  updating  Crpt 
to  be  CrptU{ske}  and  outputs  skr.  In  line  5,  the  voter  indices 
output  by  A  must  be  legal  with  respect  to  ny,  but  we  elide 
that  detail  from  the  experiment  for  simplicity.  Line  8  ensures 
that  A  cannot  trivially  win  by  corrupting  voters. 


2)  Universal  verifiability:  The  universal  verifiability  exper¬ 
iment  again  challenges  A  to  concoct  a  scenario  in  which  Verify 
incorrectly  accepts: 


l8Kiisters  and  Truderung  \hl\  explore  some  consequences  of  permitting 
adversarial  influence  during  registration. 

19Unlike  Exp-IV-Ext,  a  variant  of  Exp-IV-Int  that  challenges  A  to  predict 
the  output  of  Vote  is  strictly  stronger.  See  the  companion  technical  report  Q 
for  details. 
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Exp-UV-lnt(II,  A,  k)  = 

1  (PK'r,nv)  A{k)\ 

2  for  1  <  i  <  ny  do  {pkit  ski )  <—  Registe^PXy,  fc) 

3  L  <r-  {pk1,...,pknv}; 

4  M  <-  {{pkx,  sk i), . . . ,  (pknv,  sknv)}\ 
s  {BB,  nc,  X,  P)  «-  A{M)\ 

6  Y  <—  correct-tally {PK j- ,  PP ,  M,nc,k); 

7  if  X  ^  Y  A  Verify(PXr,  BB ,  P,  nc,  X,  P,  fc)  =  1  then 

8  |  return  1 

9  else 

10  return  0 


The  main  differences  from  the  corresponding  experiment  for 
external  authentication  (j  II-B2[)  are  that  voters  are  registered 
in  line  2,  and  their  credential  pairs  are  used  in  the  rest  of  the 
experiment. 

Function  correct-tally  is  now  modified  to  tally  only  autho¬ 
rized  ballots.  A  ballot  is  authorized  if  it  is  constructed  with  a 
private  credential  from  M,  and  that  private  credential  was  not 
used  to  construct  any  other  ballot  on  BB.  By  comparison,  the 


original  correct-tally  function  ()II-B2i  tallies  all  the  ballots 
on  BB. 

Formally,  let  function  correct-tally  now  be  defined  such 
that  for  all  PKp,  BB,  M,  nc,  k,  £,  and  P  £  {1, . . . ,  nc}, 

correct-tally  {PKp ,  BB,  M,  nc ,  k)[/3]  =  i 
4=>  3~eb  £  authorized {P K p,  {BB  \  { ±.}),M,nc,k )  : 

3 sk,  r  :  b  =  Vot e{sk,  PKp,  nc,  P,  k:  r). 


Let  authorized  be  defined  as  follows: 


authorized{PKp,  BB,  M,  nc,  k)  = 

{b:  be  BB 

A  3 pk,  sk,  p,r  :  b  =  Vot e(sk,  PKp,  nc,  P,  k;  r) 

A  {pk,  sk)  e  M  A  -36',  p’ ,  r'  :  6'  e  {BB  \  {b}) 
A  b'  =  Vot e{sk,  PKp,  nc,  P’ ,  k;  r')}. 


Function  authorized  discards  all  revotes — that  is,  if  there  is 
more  than  one  ballot  submitted  with  a  private  credential  sk, 
then  all  ballots  submitted  under  that  credential  are  discarded. 
Therefore,  election  schemes  that  permit  revoting  cannot  by 
analyzed  with  this  definition  of  authorized.  But  alternative 
definitions  of  authorized  are  possible — for  example,  if  ballots 
were  timestamped,  authorized  could  discard  all  but  the  most 
recent  ballot  submitted  under  a  particular  credential. 

3)  Eligibility  verifiability:  Recall  (from  §II-B3 1  that  for 
an  election  scheme  to  satisfy  eligibility  verifiability,  anyone 
must  be  able  to  check  that  every  tallied  vote  was  cast  by  an 
authorized  voter — that  is,  it  must  be  possible  to  authenticate 
ballots.  Because  voters  are  issued  credential  pairs  that  can 
be  used  to  authenticate  ballots,  it  suffices  to  ensure  that 
knowledge  of  a  private  credential  is  necessary  to  construct 
an  authentic  ballot. 

Eligibility  verifiability  experiment  Exp-EV-Int  therefore 
challenges  A  to  produce  a  ballot  under  a  private  credential 
that  A  does  not  know: 


Exp-EV-lnt(II,  A,  k )  = 

t  {PKq-,nv)  •£-  A{k)\ 

2  for  1  <  i  <  ny  do  {phi,  ski)  <—  Reg\ster{PK-r,k); 

3  Le-  {pk1,...,pknv}-, 

4  Grpt  e-  0;  Rvld  e-  0; 

5  ( nc,P,i,b )  e-  AC’R{L)\ 

6  if  3r  :  6  =  Vote(sfci,  PKj-,  nc,  P,  fc;  r)  A  6  ^  1  A  6  ^ 
Rvld  A  ski  £  Crpt  then 

7  |  return  1 

8  else 

9  return  0 


In  line  1,  A  chooses  the  tallier’s  public  key  and  the  number  of 
voters.  Line  2  registers  voters.  A  is  not  permitted  to  influence 
registration  while  it  is  in  progress.  In  particular,  A  is  not 
permitted  to  choose  credential  pairs,  because  by  doing  so  A 
could  trivially  win  the  experiment. 

Line  4  initializes  two  sets:  Crpt  is  a  set  of  voters  who 
have  been  corrupted,  meaning  that  A  has  learned  their  private 
credential,  and  Rvld  is  a  set  of  ballots  that  have  been  revealed 
to  A.  The  former  set  models  A  coercing  voters  to  reveal  their 
private  credentials.  The  latter  set  models  A  observing  ballots 
on  the  bulletin  board. 

Line  5  challenges  A  to  produce  a  ballot  6  with  the  help 
of  two  oracles.  Oracle  C  is  the  same  oracle  as  in  Exp-IV-Int 
(cf.  i  IV-B1 1;  it  leaks  the  private  credentials  of  corrupted  voters 
to  A.  Oracle  R  reveals  ballots.  On  invocation  R{i,  p,nc), 
where  1  <  *  <  ny,  oracle  R  does  the  following: 


•  Computes  a  ballot  6  that  represents  a  vote  for  candidate 

P  by  a  voter  with  private  credential  sk,  .  that  is,  computes 
6  Vot e{ski,  PK'j-,  nc,  P,  k). 

•  Records  6  as  being  revealed  by  updating  Rvld  to  be 
Rvld  U  {6}. 

•  Outputs  6. 


In  line  6,  A  wins  if  (i)  the  ballot  is  authentic,  meaning  that 
it  is  the  output  of  Vote  on  an  authorized  credential,  and  (ii) 
that  credential  belongs  to  a  voter  that  A  did  not  corrupt,  and 
(iii)  that  ballot  was  not  revealed.  If  A  cannot  succeed  in  this 
experiment,  then  only  authorized  votes  are  tallied. 

4)  Election  verifiability:  With  Exp-IV-Int,  Exp-UV-Int,  and 
Exp-EV-Int,  we  define  election  verifiability  with  internal  au¬ 
thentication. 


Definition  9  (Ver-lnt).  An  election  scheme  II  satisfies  elec¬ 
tion  verifiability  with  internal  authentication  (Ver-lnt)  if  for 
all  PPT  adversaries  A,  there  exists  a  negligible  function 
p,  such  that  for  all  security  parameters  k,  it  holds  that 
Succ(Exp-IV-lnt(II,  A,  k))  +  Succ(Exp-UV-lnt(II,  A,  k))  + 
Succ(Exp-EV-lnt(II,  A,  k))  <  p{k). 

An  election  scheme  satisfies  eligibility  verifiability  if 
Succ(Exp-EV-lnt(II,  A,  k))  <  p{k),  and  similarly  for  indi¬ 
vidual  and  universal  verifiability. 


C.  Example — Toy  schemes  from  digital  signatures 

A  toy  election  scheme  satisfying  Ver-lnt  can  be  based 
on  a  digital  signature  scheme  (Gen. Sign,  Ver).  Each  voter 
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publishes  their  signed  candidate  choice  on  the  bulletin  board. 

Definition  10.  Election  scheme  Sig  is  defined  as  follows: 

•  Setup(fc)  outputs  (J_,  l.,pi(k),p2(k)),  where  p\  and  P2 
may  be  any  polynomial  functions. 

•  Register  (PKp,k)  computes  ( pk,sk )  4—  Gen(lfe)  and 
outputs  ( pk ,  sk). 

•  \/ote(sk,  PKp,nc,  fi,k)  outputs  (/3,  Sign(sfc,  /3)). 

•  Tally (PKp,  SKp,  BB ,  L,nc,  k)  computes  a  vector  X 
of  length  nc,  such  that  X  is  a  tally  of  all  the  ballots 
on  BB  that  are  signed  by  distinct  private  keys  whose 
corresponding  public  keys  appear  in  L,  and  outputs 

(X.-L). 

•  Verify(PX7-,  BB,  L,  nc,  X,  P,  k)  outputs  1  ;/(X,P)  = 
Tally(_L,  _L,  BB,  L,  nc,  -L)  and  0  otherwise. 

The  verifiability  of  Sig  follows  from  the  security  of  the 
underlying  signature  scheme: 

Proposition  3.  If  (Gen,  Sign.  Ver)  is  a  signature  scheme 
satisfying  existential  unforgeablility  under  adaptive  chosen- 
message  attack,  then  Sig  satisfies  Ver- 1 nt. 

Proof  sketch.  Sig  satisfies  individual  verifiability,  because  vot¬ 
ers  can  verify  that  their  signed  choices  appear  on  the  bulletin 
board.  Sig  satisfies  universal  verifiability,  because  signed  plain¬ 
text  choices  are  posted  on  BB.  Finally,  Sig  satisfies  eligibility 
verifiability,  because  anyone  can  check  that  the  signed  choices 
belong  to  registered  voters.  □ 

D.  Orthogonality 

Exp-IV-Int,  Exp-UV-Int,  and  Exp-EV-Int  capture  mostly 
orthogonal  security  properties,  as  shown  in  Table  [I]  Individ¬ 
ual  and  universal  verifiability  are  orthogonal,  and  eligibility 
verifiability  implies  individual  verifiability. 

Theorem  4.  If  an  election  scheme  II  satisfies  Exp-EV-Int, 
then  II  also  satisfies  Exp-IV-Int. 

Proof  sketch.  If  II  satisfies  Exp-EV-Int,  then  no  one  can 
construct  a  ballot  that  appears  to  be  associated  with  public 
credential  pk  unless  they  know  private  credential  sk.  That 
means  that  a  voter  can  uniquely  identify  their  ballot,  because 
no  one  else  knows  their  private  credential.  Therefore  II  satis¬ 
fies  Exp-IV-Int.  □ 

The  proof  of  Theorem  [4]  appears  in  the  companion  technical 
report  (TJ. 

In  Table  [I]  AlwaysVerify(-)  is  a  function  that  transforms 
an  election  scheme  by  compromising  Verify  to  always  re¬ 
turn  1.  Thus,  AlwaysVerify(II)  is  guaranteed  not  to  satisfy 
Exp-UV-Int.  Similarly,  IgnoreCreds(-)  is  a  function  that  ac¬ 
cepts  as  input  an  election  scheme  with  external  authentication 
and  returns  as  output  an  election  scheme  with  internal  au¬ 
thentication.  The  resulting  scheme,  however,  simply  ignores 
credentials  altogether:  Register  returns  (_L,  _L),  Vote  ignores 
sk,  and  Tally  and  Verify  ignore  L.  Thus,  IgnoreCreds(II)  is 
guaranteed  not  to  satisfy  Exp-EV-Int.  Using  those  functions, 
we  briefly  explain  each  line  of  the  table: 


Line 

IV 

uv 

EV 

Scheme 

i 

X 

X 

X 

AlwaysVerify(lgnoreCreds(Choice)) 

2 

X 

X 

/ 

— 

3 

X 

✓ 

X 

IgnoreCreds(Choice) 

4 

X 

/ 

/ 

— 

5 

/ 

X 

X 

AlwaysVerify(lgnoreCreds(  Nonce)) 

6 

/ 

X 

/ 

AlwaysVerify(Sig) 

7 

/ 

/ 

X 

Malleable  Sig 

8 

/ 

✓ 

✓ 

Sig 

TABLE  I 

Election  schemes  that  satisfy  each  combination  of  individual, 

UNIVERSAL  AND  ELIGIBILITY  VERIFIABILITY 


1)  Recall  (from  §II-D|>  that  Choice  is  the  election  scheme  in 
which  ballots  contain  only  the  plaintext  candidate  choice. 
By  compromising  Verify  and  ignoring  credentials,  we 
obtain  a  scheme  that  satisfies  no  properties. 

2)  By  Theorem  [4j  this  situation  is  impossible. 

3)  Compared  to  line  1  of  Table  [T}  this  scheme  satisfies 
Exp-UV-Int,  because  Verify  is  not  compromised. 

4)  By  Theorem  [4j  this  situation  is  impossible. 

5)  Nonce  satisfies  Exp-IV-Ext  and  Exp-UV-Ext.  Moreover, 
IgnoreCreds(Nonce)  satisfies  Exp-IV-Int  and  Exp-UV-Int. 
By  compromising  Verify,  we  obtain  a  scheme  that  satis¬ 
fies  only  Exp-IV-Int. 

6)  Sig  satisfies  all  three  properties.  By  compromising  Verify, 
we  obtain  a  scheme  that  satisfies  only  Exp-IV-Int  and 
Exp-EV-Int. 

7)  By  making  Sig’s  underlying  signature  scheme  mal¬ 
leable^  we  could  obtain  a  scheme  that  does  not  satisfy 
Exp-EV-Int,  because  the  adversary  could  construct  a  valid 
ballot  out  of  a  revealed  ballot.  But  the  scheme  would 
continue  to  satisfy  Exp-IV-Int  and  Exp-UV-Int. 

8)  Sig  satisfies  all  three  properties. 

V.  Case  Study:  JCJ 

JCJ  (named  for  its  designers,  Juels,  Catalano,  and  Jakobs- 
son)  m-m  is  a  coercion-resistant  election  scheme,  mean¬ 
ing  voters  cannot  prove  whether  or  how  they  voted,  even  if 
they  can  interact  with  the  adversary  while  voting.  Coercion 
resistance  protects  elections  from  improper  influence  by  ad¬ 
versaries. 

To  achieve  verifiability  and  coercion  resistance,  JCJ  uses 
verifiable  mixnets ,  which  anonymize  a  set  of  messagesp] 
During  tallying,  all  encrypted  choices  are  anonymized  by  a 
mixnet,  then  all  choices  are  decrypted.  The  tally  is  computed 
from  the  decrypted  choices.  Informally,  JCJ  works  as  follows: 

•  Setup.  The  tallier  generates  a  key  pair  (PK p,  SKp)  for 
an  encryption  scheme  and  publishes  the  public  key. 

•  Registration.  To  register  a  voter,  the  registrar  generates 
a  nonce,  which  is  sent  to  the  voter  and  serves  as  the 
private  credential.  The  public  credential  is  computed  as  an 

-'’Given  a  message  m  and  signature  a,  a  malleable  signature  scheme 
permits  computation  of  a  signature  a'  on  a  related  message  m'  [21 1.  The 
malleable  signature  scheme  Sig  used  in  line  7  of  Table  |Tj  would  need  to 
enable  an  adversary  to  transform  a  signature  on  a  well-formed  candidate  0 
into  a  signature  on  a  distinct,  well-formed  candidate  0' . 

-’Chaum  1 22 1  introduced  mixnets.  Adida  [2|  surveys  verifiable  mixnets. 
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encryption  of  the  private  credential  with  PKj-.  After  all 
voters  are  registered,  the  registrar  publishes  the  electoral 
roll. 

•  Voting.  A  voter  encrypts  her  candidate  choice  with  PK p. 
She  also  encrypts  her  private  credential  with  PKp.  She 
proves  in  zero-knowledge  that  she  simultaneously  knows 
both  plaintexts,  and  that  her  choice  is  well-formed.  The 
voter  posts  her  ballot  (i.e.,  both  ciphertexts  and  the  proof) 
on  the  bulletin  board. 

•  Tallying.  The  tallier  discards  any  ballots  from  the  bulletin 
board  for  which  the  zero-knowledge  proofs  do  not  verify. 
All  unauthorized  ballots  are  then  discarded  through  a 
combination  of  protocols  that  includes  verifiable  mixnets 
and  plaintext  equivalence  tests  (PETs)  (PETs  enable 
proof  that  two  ciphertexts  contain  the  same  plaintext 
without  revealing  that  plaintext.)  The  tallier  decrypts  and 
publishes  the  remaining  ballots,  along  with  a  proof  that 
decryption  was  performed  correctly. 

•  Verification.  A  verifier  checks  all  the  proofs  included  in 
ballots,  and  all  the  proofs  published  during  tallying. 

The  companion  technical  report  Jl|  gives  a  formal  descrip¬ 
tion  of  JCJ.  That  formalization  satisfies  individual  and  uni¬ 
versal  verifiability,  assuming  that  the  cryptographic  primitives 
satisfy  certain  properties  that  we  identify.  But  the  formalization 
fails  to  satisfy  eligibility  verifiability,  because  knowledge  of 
the  tallier’s  private  key  SK 7-  suffices  to  construct  ballots 
that  appear  authentic:  with  SK 7-,  any  public  credential  can 
be  decrypted  to  discover  the  corresponding  private  credential. 
Note  that  Exp-EV-Int  permits  an  adversary  A  to  choose  the 
tallier’s  key  pair,  so  A  does  know  SK 7-  hence  can  construct 
a  ballot  that  suffices  to  win  Exp-EV-Int. 

We  can  nonetheless  prove  that  JCJ  satisfies  a  variant  of 
eligibility  verifiability.  Consider  the  following  experiment, 
which  does  not  permit  the  adversary  to  choose  the  tallier’s 
key  pair: 

Exp-EV-lnt-Weak(II,  A,  k)  = 

r  (PKp,  SKp,  ms,  me)  Setup(/c); 

2  ny  A-  A(PKp,  k ); 

3  for  1  <  *  <  ny  do  ( pk ,,  ski)  t—  Reg\ster(PKj- ,  fc); 

4  Li-  {pk±, . .  .,pknv}\ 

s  Crpt  0;  Rvld  0; 

6  (nc,  /3,i,b)  AC’R{L); 

7  if  3r  :  b  =  Vote(sfci,  PKp,  nc ,  /3,  k\  r)  A  b  ^  1  A  b  ^ 

Rvld  A  ski  Crpt  then 

8  |  return  1 

9  else 

to  |_  return  0 

Line  1  of  Exp-EV-Int  has  been  refactored  into  lines  1  and  2 
of  Exp-EV-Int-Weak.  In  line  1  of  Exp-EV-Int-Weak,  keys  are 
generated  by  the  experiment.  In  line  2,  A  is  given  the  public 
key  but  not  the  private  key. 

Using  Exp-EV-Int-Weak,  we  define  a  weaker  variant  of 
Ver-lnt  and  prove  that  JCJ  satisfies  it: 

Definition  11  (Ver-Int-Weak).  An  election  scheme  II  sat¬ 


isfies  weak  election  verifiability  with  internal  authentication 
(Ver-Int-Weak)  if  for  all  probabilistic  polynomial-time  adver¬ 
saries  A,  there  exists  a  negligible  function  p,  such  that  for  all 
security  parameters  k,  we  have  Succ(Exp-IV-lnt(II,  A,  k))  + 
Succ(Exp-UV-lnt(II,  A,  k))  +  Succ(Exp-EV-lnt-Weak(II,  A, 
k))  <  p(k). 

Theorem  5.  JCJ  satisfies  Ver-Int-Weak. 

Proof  sketch.  JCJ  satisfies  individual  verifiability,  because 
the  probabilistic  encryption  scheme  ensures  that  ballots  are 
unique,  with  overwhelming  probability.  JCJ  satisfies  universal 
verifiability,  because  the  proofs  produced  throughout  tallying 
can  be  publicly  verified.  And  JCJ  satisfies  eligibility  verifiabil¬ 
ity,  because  A  cannot  construct  new  ballots  without  knowing 
a  voter’s  private  credential  or  the  tallier’s  private  key.  D 

A  formal  proof  of  Theorem  [5]  appears  in  the  companion 
technical  report  0-  The  proof  assumes  the  random  oracle 
model. 

The  Civitas  [29]  scheme  refines  the  JCJ  scheme.  Some 
refinements  relevant  to  election  verifiability  are  an  implemen¬ 
tation  of  a  distributed  registration  protocol,  and  a  mixnet  based 
on  randomized  partial  checking  (RPC)  {55|.  We  leave  a  proof 
that  Civitas  satisfies  Ver-Int-Weak  as  future  work. 

VI.  New  classes  of  attack 

Our  definitions  of  election  verifiability  improve  upon  exist¬ 
ing  definitions  by  detecting  two  previously  unidentified  classes 
of  attack: 

•  Collusion  attacks.  An  election  scheme’s  tallying  and 
verification  algorithms  might  be  designed  such  that  they 
collude  to  accept  incorrect  tallies. 

•  Biasing  attacks.  An  election  scheme’s  verification  al¬ 
gorithm  might  be  designed  such  that  it  rejects  some 
legitimate  tallies. 

Although  a  well-designed  election  scheme  would  hopefully 
not  exhibit  these  vulnerabilities,  it  is  the  job  of  verifiability 
definitions  to  detect  malicious  schemes,  regardless  of  whether 
vulnerabilities  are  due  to  malice  or  errors.  So  definitions  of 
election  verifiability  should  preclude  collusion  and  biasing 
attacks. 

A.  Collusion  Attacks 

Here  are  two  examples  of  potential  collusion  attacks: 

•  Vote  stuffing.  Tally  behaves  normally,  but  adds  k  votes 
for  candidate  f3.  Verify  subtracts  k  votes  from  /3,  then 
proceeds  with  verification  as  normal.  Elections  thus  verify 
as  normal,  except  that  candidate  (3  receives  extra  votes. 

.  Backdoor  tally  replacement.  Tally  and  Verify  behave 
normally,  unless  a  backdoor  value  is  posted  on  the 
bulletin  board  BB.  For  example,  if  (SKp ,  X  " )  appears 
on  BB,  then  Tally  and  Verify  both  ignore  the  correct 
tally  and  instead  replace  it  with  tally  X*.  Value  SK 7-  is 
the  backdoor  here;  it  cannot  appear  on  BB  (except  with 
negligible  probability)  unless  the  tallier  is  malicious. 
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Vote  stuffing  is  detected  by  our  definitions  of  Correctness 
(§11- A  and  i  IV-A||,  because  these  definitions  require  that  the 
tally  produced  by  Tally  corresponds  to  the  choices  encapsu¬ 
lated  in  ballots  on  the  bulletin  board.  Note  that  vote  stuffing 
is  not  a  failure  of  eligibility  verifiability,  because  the  stuffed 
votes  do  not  correspond  to  any  ballots  on  the  bulletin  board. 
Backdoor  tally  replacement  is  detected  by  our  definitions 
of  universal  verifiability  (§II-B2  and  <TV-B2i,  because  those 
definitions  require  Verify  to  accept  only  those  tallies  that 
correspond  to  a  correct  tally  of  the  bulletin  board. 

We  show,  next,  that  the  definition  of  election  verifiability 
by  Juels  et  al.  (59]  fails  to  detect  vote  stuffing  and  backdoor 


tally  replacement,  and  that  the  definition  by  Cortier  et  al.  [  32 1 
fails  to  detect  backdoor  tally  replacement. 

Juels  et  al.  (59]  formalize  definitions  that  we  name  JCJ- 


correctness  and  JCJ-verifiability.  JCJ-correctness  is  intuitively 
meant  to  capture  that  “A  cannot  pre-empt,  alter,  or  cancel  the 
votes  of  honest  voters  [and]  that  A  cannot  cause  voters  to  cast 
ballots  resulting  in  double  voting”  [59  p.  45];  it  is  formalized 
in  terms  of  whether  the  adversary  can  post  ballots  on  the 
bulletin  board  that  cause  the  tally  to  be  computed  incorrectly. 
JCJ-verifiability  is  intuitively  “the  ability  for  any  player  to 
check  whether  the  tally. . .  has  been  correctly  computed”  (59] 
p.  46];  it  is  formalized  in  terms  of  whether  Verify  will  accept 
a  tally  that  differs  from  the  output  of  Tally.  We  restate  the 
formal  definitions  in  the  companion  technical  report  (Tj|. 

To  show  that  the  JCJ  definitions  fail  to  detect  collu¬ 
sion  attacks,  we  first  formalize  the  vote  stuffing  attack.  An 
election  scheme  II  =  (...,  Tally,  Verify)  can  be  modified 
to  derive  a  vote-stuffing  election  scheme  Stuff  (II,  fi,  n)  = 
(. . . ,  Tallys,  Verify^),  which  adds  n  votes  to  /3,  as  follows^] 

•  Tallys(. ..)  computes  (X,P)  •<—  Ta  I  ly  (. . .)  and  outputs 

(Add(X,/3,K),P)g 

•  Verifys(. . . ,  X,  P, . . .)  computes  v  ■£-  Verify(. . . ,  Add( 
X,  /3,  —k),P,  . . .)  and  outputs  v. 


Proposition  6.  Given  an  election  scheme  II  satisfying  JCJ- 
correctness  and  JCJ-verifiability,  and  integers  ft  and  k,  it 
holds  that  Stuff (II,  /3,  k)  satisfies  JCJ-correctness  and  JCJ- 
verifiability. 

A  formal  proof  appears  in  the  companion  technical  report  |1|. 

Second,  we  formalize  the  backdoor  tally  replacement  attack. 
An  election  scheme  II  =  (. . . ,  Tally,  Verify)  can  be  modified 
to  derive  an  election  scheme  Backdoor(II)  =  (...,Tallys, 
Verify^),  as  follows: 

•  TallyB(. . . ,  SKr,  BB, . . .)  checks  whether  there  exists  a 
unique  X*  such  that  (SKy-,iX.*)  £  BB.  If  so,  TallyB 
outputs  (X*,_L).  Otherwise,  Tallys  computes  (X,P)  •<— 
Tally(. . . ,  SK-j-,  BB, . . .)  and  outputs  (X,  P). 

•  Verify B(PK'j-, . . . ,  BB, . . . ,  X,  P, . . .)  checks  whether 


22We  omit  many  of  the  parameters  of  Tally  and  Verify  here  for  simplicity; 
see  the  companion  technical  report  1 1 1  for  details. 

23 Let  Add (X,/3,k)  =  (X[lJ7. . . ,  X[/3  -  1] ,  X[/3]  +  k,X[/3  + 

1], . . . ,  X[|X|]).  And  let  |X|  denote  the  length  of  vector  X. 


there  exists  a  unique  X*  such  that  (SKj-,K*)  £  PPp*] 
If  so.  Verify^  outputs  1.  Otherwise,  Verify^  computes 
v  £-  \/eri\fy(PK']-, . . . ,  BB, . . . ,  X,  P, . . .)  and  outputs  v. 


Proposition  7.  Given  an  election  scheme  II  satisfying  JCJ- 
correctness  and  JCJ-verifiability  that  does  not  leak  the  tal- 
lier’s  private  key,  it  holds  that  Backdoor(II)  satisfies  JCJ- 
correctness  and  JCJ-verifiability. 


A  formal  proof  appears  in  the  companion  technical  report  (TJ, 
where  we  also  formally  define  key  leakage. 

Cortier  et  al.  |32j  propose  definitions  similar  to  JCJ- 
verifiability  and  insist  that  election  schemes  must  satisfy  their 
notions  of  correctness  and  partial  tallying.  Vote  stuffing  is 
detected  by  their  correctness  property,  but  backdoor  tally 
replacement  is  not.  The  ideas  remain  the  same,  so  we  omit 
formalized  results.  We  have  reported  these  findings  to  the 
original  authors  (3TJ,  gg,  (44). 


B.  Biasing  attacks 

Here  are  three  formalizations  of  biasing  attacks,  derived 
from  an  election  scheme  n  =  (. . . ,  Verify). 

•  Reject  All.  Let  Reject(n)  be  (. . . ,  Verify R),  where 
Verify  always  outputs  0.  Verify  therefore  always  re¬ 
jects,  hence  no  election  can  ever  be  considered  valid. 

•  Selective  Reject.  Let  e  be  a  distinguished 

value  that  would  not  be  posted  on  the  bulletin 
board  by  honest  voters.  Let  Selective(n,  e)  be 

(. . . ,  Verify^),  where  Verify  yj(. . . ,  BB, . . .)  computes 
v  ■£-  Verify(. . . ,  BB, . . .)  and  outputs  1  if  both  v  =  1 
and  e  qL  BB.  Otherwise,  Verify^  outputs  0.  Verify^ 
therefore  rejects  if  e  appears  on  the  bulletin  board,  hence 
some  elections  can  be  invalidated. 

•  Biased  Reject.  Suppose  Z  is  a  set  of  tallies.  Let 
Bias(n,  Z)  be  (. . . ,  Verify^),  where  Verify^. . . ,  X, . . .) 
computes  v  ■£-  Verify(. . . ,  X, . . .)  and  outputs  1  if  both 
v  =  1  and  X  £  Z.  Otherwise,  Verify^  outputs  0.  Verify 
therefore  only  accepts  a  subset  of  the  tallies  accepted  by 
Verify,  hence  biases  tallies  toward  Z. 

These  formalizations  do  not  satisfy  our  definition  of  Complete¬ 
ness  (<TI-A  and  §IV-A  i,  hence,  our  definitions  of  verifiability 
detect  these  biasing  attacks. 

The  definition  of  verifiability  by  Juels  et  al.  (59)  fails  to 
detect  all  three  of  the  above  attacks,  because  that  definition 
has  no  notion  of  Completeness.  For  example,  it  is  vulnerable 
to  Biased  Reject  attacks: 


Proposition  8.  Given  an  election  scheme  n  satisfying  JCJ- 
correctness  and  JCJ-verifiability,  and  given  a  multiset  Z, 
it  holds  that  Bias(n,  Z)  satisfies  JCJ-correctness  and  JCJ- 
verifiability. 

A  formal  proof  appears  in  the  companion  technical  report  1 1  ] . 

The  definition  of  verifiability  by  Kiayias  et  al.  (6T)  fails 
to  detect  Selective  Reject  attacks,  because  (like  JCJ)  the 


24 Verify^  also  needs  to  check  that  SK  j-  is  the  private  key  corresponding 
to  PKj-.  We  omit  formalizing  this  detail,  but  note  that  it  is  straightforward 
for  real-world  encryption  schemes  such  as  El  Gamal  and  RSA. 
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definition  has  no  notion  of  Completeness.  Their  notion  of 
Correctness  does  rule  out  Reject  All  and  Biased  Reject  attacks. 


Similarly,  the  definition  of  verifiability  by  Cortier  et  al.  [  32 1 
detects  Biased  Reject  and  Reject  All  attacks,  but  fails  to  detect 
Selective  Reject  attacks,  because  that  definition’s  notion  of 
Completeness  does  not  quantify  over  all  bulletin  boards. 


VII.  Related  Work 

Kiayias  [[60]  presents  an  overview  of  security  properties 
for  election  schemes.  Many  election  schemes  in  the  literature 
state  properties  called  correctness,  accuracy,  or  (universal) 
verifiability  without  formally  defining  those  terms. 

In  the  computational  model,  Juels  et  al.  (57)-(59)  and 
Cortier  et  al.  (32)  give  game-based  definitions  of  verifiability. 
Those  definitions  fail  to  detect  biasing  and  collusion  attacks 


(cf.  SVIi.  Definitions  of  universal  verifiability  (which  is  just 
one  aspect  of  election  verifiability)  in  the  computational  model 
seem  to  originate  with  Benaloh  and  Tuinstra  (TS),  who  define 
a  correctness  property  that  says  every  participant  is  convinced 
that  the  tally  is  accurate  with  respect  to  the  votes  cast,  and 
with  Cohen  and  Fischer  J30|,  who  define  verifiability  to  mean 
that  there  exists  a  check  function  that  returns  good  iff  the 
announced  tally  of  the  election  corresponds  to  the  cast  votes. 

Kiayias  et  al.  (6T)  define  a  property  they  name  E2E  verifia¬ 
bility  (E2E  abbreviates  “end-to-end”).  This  property  combines 
our  intuitive  notions  of  individual  and  universal  verifiability 
into  a  single  definition.  Their  definition  fails  to  detect  Selective 
Reject  attacks  (cf.  [VIi.  Their  definitions,  like  ours,  do 
not  address  voter  intent — that  is,  verification  by  humans  that 
ballots  correctly  encode  candidate  choices — as  we  discuss  in 
Section  [Vm] 

Also  in  the  computational  model,  Groth  |46|,  and  Moran 
and  Naor  (72),  state  definitions  of  verifiability  in  terms  of 
universal  composability  [20].  These  definitions  involve  defin¬ 
ing  an  ideal  functionality,  part  of  that  is  similar  to  our 
correct-tally  function.  Groth’s  definition  does  not  guaran¬ 
tee  universal  verifiability  f46l  p.  2],  but  Moran  and  Naor’s 


does  1 72  p.  386]. 

In  the  symbolic  model,  Smyth  et  al.  (83(1  define  the  first 
definition  of  election  verifiability.  This  definition  is  amenable 
to  automated  reasoning,  but  is  stronger  than  necessary  and 
cannot  be  satisfied  by  many  election  schemes,  including  Helios 
and  Civitas.  Kremer  et  al.  (63)  overcome  this  limitation  with 
a  weaker  definition  that  sacrifices  amenability  to  automated 
reasoning,  and  Smyth  [80  §3]  extends  this  definition.  Dreier 


et  al.  have  adapted  election  verifiability  to  auction  m  and 
examination  [ 39 1  systems. 

Also  in  the  symbolic  model,  Kremer  and  Ryan  [62]  and 
Backes  et  al.  (8j  formalize  definitions  of  eligibility.  These 
definitions  are  not  intended  to  provide  assurances  if  the 
election  authorities  are  dishonest.  For  example,  the  definition 
of  Kremer  and  Ryan  does  not  detect  whether  corrupt  election 
authorities  insert  votes  (62]  §5.2].  Likewise,  the  definition  of 
Backes  et  al.  assumes  that  election  authorities  are  honest  (8j 

§3]. 


Our  definition  of  election  verifiability  follows  Smyth  et 
al.  (63),  (80),  [83]  by  deconstructing  it  into  individual,  uni¬ 
versal,  and  eligibility  verifiability.  Other  deconstructions  of 
election  verifiability  are  possible.  For  example,  Adida  and  Neff 
(7]  §2]  identify  four  aspects  of  verifiability: 

•  Cast  as  intended:  the  ballot  is  cast  at  the  polling  station 
as  the  voter  intended. 

•  Recorded  as  cast:  cast  ballots  are  preserved  with  integrity 
through  the  ballot  collection  process. 

•  Counted  as  recorded:  recorded  ballots  are  counted  cor¬ 
rectly. 

•  Eligible  voter  verification:  only  eligible  voters  can  cast  a 
ballot  in  the  first  place. 


Those  definitions  are  not  mathematical,  so  we  cannot  attempt 
a  precise  comparison.  Nonetheless,  eligibility  verifiability  and 
eligible  voter  verification  seem  to  be  addressing  similar  con¬ 
cerns.  Likewise,  individual  and  universal  verifiability  together 
seem  to  be  addressing  concerns  similar  to  that  of  recorded 
as  cast  and  counted  as  recorded  together.  Recorded  as  cast,  in 
our  work,  reduces  to  the  bulletin  board  preserving  ballots  with 
integrity — a  property  that  we  have  assumed,  because  crypto¬ 
graphic  election  schemes  assume  it,  too.  Ways  to  construct 
secure  bulletin  boards  have  been  proposed,  e.g.. 


1 76 1,  [78 1.  We  postpone  a  discussion  of  cast  as  intended  to 

SectionWini 

Privacy  properties  (38},  (59},  (70),  (81),  (82)— such 

as  ballot  secrecy,  receipt  freeness,  and  coercion  resistance — 
complement  verifiability.  Chevallier-Mames  et  al.  (26),  1 27] 
and  Hosp  and  Vora  HD-  (52)  show  an  incompatibility  result: 
election  schemes  cannot  unconditionally  satisfy  privacy  and 
universal  verifiability.  But  weaker  versions  of  these  properties 
can  hold  simultaneously,  as  can  be  witnessed  from  Theorems [2] 
and  [5]  coupled  with  existing  privacy  results  such  as  the 
ballot  secrecy  proofs  for  Helios  4.0  1 1 8  Theorem  3],  fl6 
Theorem  6.12],  and  the  coercion  resistance  proof  for  JCJ  [59 
§5]. 


Comparison  with  global  verifiability:  Kiisters  et  al.  (68), 
(69),  (ZD  present  a  definition  of  global  verifiability  that  can 
be  used  with  any  kind  of  protocol,  not  just  electronic  voting 
protocols.  To  analyze  the  verifiability  of  a  protocol,  users  of 
this  definition  must  themselves  formalize  goals,  which  are 
properties  required  to  hold  in  every  run  of  the  protocol.  For 
example,  a  goal  7^  is  presented  in  a  case  study  (69|  §5.2]  of 
global  verifiability  applied  to  voting: 


yt  contains  all  runs  for  which  there  exist  choices 
of  the  dishonest  voters  (where  a  choice  is  either  to 
abstain  or  to  vote  for  one  of  the  candidates)  such  that 
the  result  obtained  together  with  the  choices  made  by 
the  honest  voters  in  this  run  differs  only  by  £  votes 
from  the  published  result  (i.e.  the  result  that  can  be 
computed  from  the  simple  ballots  on  the  bulletin 
board). 


Another  goal  7  is  presented  in  a  case  study  [71 
Helios: 


§6.2]  of 


7  is  satisfied  in  a  run  if  the  published  result  exactly 


11 


reflects  the  actual  votes  of  the  honest  voters  in  this 
run  and  votes  of  dishonest  voters  are  distributed  in 
some  way  on  the  candidates,  possibly  in  a  different 
way  than  how  the  dishonest  voters  actually  voted. 


These  informal  statements  of  goals  are  appealing,  but  they 
do  not  constitute  rigorous  mathematical  definitions.  As  Kiayias 
et  al.  write,  “[global  verifiability]  has  the  disadvantage  that  the 
set  7  remains  undetermined  and  thus  the  level  of  verifiability 
that  is  offered  by  the  definition  hinges  on  the  proper  definition 
of  7  which  may  not  be  simple”  tm  p.  476].  In  our  own 
work,  we  found  that  formal  definitions  were  quite  tricky  to  get 
right — for  example,  which  ballots  should  be  counted,  how  to 
count  them,  and  how  to  determine  whether  that  count  differed 
from  the  published  tally.  So  we  shared  {65)  and  discussed  [66] 


our  results  with  Kiisters.  In  response,  Kiisters  et  al.  updated  an 


online  technical  report  to  propose  a  formalization  of  goals  1 64 


§5.2];  we  look  forward  to  analyzing  that  formalization  when 
it  is  published. 

In  an  analysis  of  Helios,  Kiisters  et  al.  HD  use  goal 
7  to  conclude  that  Helios  2.0  satisfies  global  verifiability. 
Yet  Bernhard  et  al.  1 1 8 1  demonstrate  an  attack  against  the 
verifiability  of  Helios  2.0,  and  in  the  companion  technical  re¬ 
port  (T|  we  show  that  Helios  2.0  does  not  satisfy  Ver-Ext.  This 
seeming  discrepancy  arises  because  the  analysis  in  HD  does 
not  formalize  all  the  cryptographic  primitives  used  by  Helios, 
hence  the  attack  goes  unnoticed.  So  another  contribution  of 
our  own  work  is  to  correctly  distinguish  between  unverifiable 
and  verifiable  variants  of  Helios  by  rigorously  analyzing  the 
cryptography  used  in  Helios. 

It  is  natural  to  ask  whether  election  verifiability  can  be 
expressed  in  terms  of  global  verifiability.  We  believe  it  can  be. 
For  instance,  individual,  universal  and  eligibility  verifiability 
could  be  expressed,  in  the  informal  style  of  the  goals  quoted 
above,  as  the  following  goals: 


•  7/v  is  satisfied  in  a  run  if  voters  can  uniquely  identify 
their  ballots  on  the  bulletin  board  in  this  run. 

•  luv  is  satisfied  in  a  run  if  the  correct  tally  of  votes  cast 
by  authorized  voters  in  this  run  is  the  same  as  the  tally 
produced  by  algorithm  Tally. 

•  7 ev  is  satisfied  in  a  run  if  every  ballot  tallied  in  this 
run  was  created  by  a  voter  in  possession  of  a  private 
credential. 


Kiisters  et  al.  {69)  argue  that  deconstructing  verifiability 
into  individual  and  universal  verifiability  is  insufficient  to 
detect  certain  attacks  involving  ill-formed  ballots.  But  those 
attacks  leave  open  the  possibility  that  there  do  exist  notions  of 
individual  and  universal  verifiability  that  would  be  sufficient. 
Indeed,  our  own  definition  of  universal  verifiability  rules  out 
attacks  based  on  ill-formed  ballots,  because  correct-tally 
ensures  that  tallied  ballots  are  well-formed. 

One  concern  that  might  be  raised  is  whether  there  still 
lurk  any  “gaps”  in  our  decomposition  into  individual  and 
universal  (and  eligibility)  verifiability.  Indeed,  there  might  be. 
But  the  definition  of  global  verifiability  does  not  rule  out  the 
possibility  of  gaps,  either:  any  gap  in  the  formal  statement  of  a 


goal  will  lead  to  a  vulnerability.  That  is,  if  the  analyst  forgets  to 
include  some  necessary  facet  of  verifiability  when  stating  the 
formal  goal,  then  global  verifiability  will  not  detect  any  attacks 
against  that  facet.  Global  verifiability  does  not  guarantee  a  lack 
of  gaps. 


VIII.  Concluding  Remarks 


When  we  began  this  work,  we  were  studying  the  Juels  et 
al.  {59)  definition  of  election  verifiability.  We  discovered  that 
the  definition  fails  to  detect  biasing  and  collusion  attacks. 
While  attempting  to  improve  the  Juels  et  al.  definition  to 
rule  out  those  attacks,  we  discovered  that  factoring  it  into 
individual,  universal,  and  eligibility  verifiability  led  to  an 
elegant  decomposition  of  (mostly)  orthogonal  properties.  We 
later  sought  to  apply  our  new  definitions  to  existing  electronic 
voting  systems,  and  Helios  (6j  and  Civitas  |29|  were  natural 
choices.  But  they  treat  authentication  differently — Helios  out¬ 
sources  authentication,  whereas  Civitas  does  not — so  we  were 
led  to  separate  our  definitions  into  variants  for  external  and 
internal  authentication.  We  were  at  first  surprised  to  discover 
that  JCJ,  hence  Civitas,  does  not  satisfy  the  strong  definition  of 
eligibility  verifiability.  But  upon  reflection,  it  became  apparent 
that  an  adversary  who  knows  the  tallier’s  private  key  can  easily 
forge  ballots  that  appear  to  be  from  eligible  voters. 

Our  definitions  of  verifiability  have  not  addressed  the  issue 
of  voter  intent — that  is,  verification  by  a  human  that  the  ballot 
submitted  by  a  voter  corresponds  to  the  candidate  choice  the 
voter  intended  to  make.  Adida  and  Neff  call  this  property 
“cast  as  intended”  {7|.  Many  election  schemes  (e.g.,  {42), 
|5§,  {59),  {61))  do  not  satisfy  cast  as  intended,  because  the 
schemes  implicitly  or  explicitly  assume  that  voters  can  them¬ 
selves  verify  the  cryptographic  operations  required  to  construct 
ballots.  Nevertheless,  schemes  by  Chaum  {23),  Neff  {73),  and 
Benaloh  HD-  G3  introduce  cryptographic  mechanisms  to 
verify  voter  intent.  It  would  be  natural  to  explore  strengthening 
our  definitions  to  address  voter  intent. 

The  goal  of  this  research  is  to  enable  verifiability  of  the 
voting  systems  we  use  in  real-life,  rather  than  merely  trusting 
them.  Research  on  verifiability  can  generalize  beyond  voting 
to  other  systems  that  must  guarantee  strong  forms  of  integrity. 
Verifiable  voting  systems  thus  have  the  potential  to  contribute 
to  the  science  of  security,  to  democracy,  and  to  broader  society. 
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